Tim’s use case is addressed in the Usage Guide (3.21.5). You can register the wrapped key as an opaque cryptographic object. In this case, the key format type is opaque and not the object type. Regarding John’s question, we don’t address this case in the KMIP documentation. If the key should never be exported in plaintext, it should really be stored as an opaque object. -Indra From: Mathias Bjoerkqvist1 [mailto:
MBJ@zurich.ibm.com] Sent: Thursday, June 09, 2011 9:06 AM To:
jl@quintessencelabs.com Cc:
kmip-interop-tech@lists.oasis-open.org Subject: RE: [kmip-interop-tech] Key wrapping use case "John Leiseboer" <
jleiseboer@bigpond.com> wrote on 09.06.2011 17:40:45: > And is it okay for the server – if it has a policy that requires key > wrapping for certain keys – to return the requested key wrapped when > the client omits the Key Wrapping Specification from the Get > request? Or would/should the server reject such a request? > Actually, I'm not sure about that. I couldn't find any text on this in the specification. The Usage Guide has much more on key wrapping, but I it didn't seem to address this issue either. So for v1.0, I would say that you could interpret the spec in a way that allows the server to return the key wrapped, even if the client did not ask for this. I don't think this was intended, and I think this needs to be clarified. Tim wrote: > How do you register a wrapped key that never has a plaintext version of it > available? What does GET do for that? > IIRC, you have to specify the Unique Identifier of the wrapping key when you register a wrapped key. That Unique Identifier should existing on the server, but maybe it doesn't have to? I'd have to look that up. However, the key that the Unique Identifier points to may have been registered without the key material. If you then tried to get the key unwrapped, the server would not be able to unwrap it and would return a PERMISSION_DENIED (?) error. Another issue is that there is no way for the client to find out which key(s) it should ask to get the key wrapped with after it has registered it. If a server could return the key wrapped even when not requested to be wrapped by the client, then would we also need a new option to explicitly ask for the key unwrapped (wrapped might be the default server policy for a specific key, but unwrapped might still be allow if explicitly asked for)? Regards, Mathias